Goodbye Privacy. Conventional Security Measures Can Be Neutered By A Careless Programmer

Mike Gualtieri
Vice President, Principal Analyst
October 17, 2012

More and more data is stored online by both consumers and businesses. The convenience of using services such as DropboxBoxGoogle DriveMicrosoft Live Skydrive, and SugarSync is indisputable. But, is it safe? All of the services certainly require a user password to access folders, and some of the services even encrypt the stored files. Dropbox reassures customers, "Other Dropbox users can't see your private files in Dropbox unless you deliberately invite them or put them in your Public folder."

The security measures employed by these file-synching and sharing services are all well and good, but they can be instantly, innocently neutered by a distracted programmer. Goodbye privacy. All your personal files, customer lists, business plans, and top-secret product designs become available for all the world to see. How can this happen even though these services are sophisticated authetication and encryption technologies? The answer: a careless bug introduced in the code.

Below is some Java code I wrote for a fictitious file-sharing service called CloudCabinet to demonstrate how this can happen. Imagine a distracted programmer texting her girlfriend on her iPhone while cutting and pasting Java code. Even non-Java programmers should be able to find the error in the code below.

 

 

Mike Gualtieri
 
 
 
 
 
 
 

Fortunately (and hopefully) mature application development teams have rigorous testing processes that find security holes before devastating code like this makes it into production. If, as SugarSync says, "Your peace of mind and the security of your files are our top priority," then don't just tell me about your authentication and encryption for file access, transfer, and storage. Tell me how your testing processes will catch coding errors that could compromise the security of my files.

Categories

Related Posts